Steven Rosenberg
2021-Jul-26 21:01 UTC
[CentOS] It's been six days since CVD-2021-33909 was patched in RHEL, what's the holdup for Stream 8?
This bug in the kernel was patched in RHEL on 7/20. Every other mainstream Linux distro patched it that day or the day after. That includes Rocky and Alma. https://access.redhat.com/security/cve/CVE-2021-33909 It's still not patched six days later in CentOS Stream 8. This Bugzilla entry makes it clear that when it comes to security, CentOS Stream falls behind RHEL. But this far behind? https://bugzilla.redhat.com/show_bug.cgi?id=1975182 This doesn't make a good argument for Stream being a viable CentOS Linux replacement.
Carl George
2021-Jul-28 16:44 UTC
[CentOS] It's been six days since CVD-2021-33909 was patched in RHEL, what's the holdup for Stream 8?
It's being worked on. RHEL maintainers can fix things independently in different minor version branches. The fix was applied to the internal 8.4 branch while it was under embargo. It has since been released in RHEL 8.4, which allowed it to be rebuilt in CentOS Linux 8. CentOS Stream 8 is currently tracking the internal 8.5 branch, which just had the fix merged yesterday, along with many other changes, as kernel-4.18.0-326.el8. That build is going through QA now. Once completed, it will be exported to git.centos.org and rebuilt in CentOS Stream 8. This is the "inside out" process we've referred to, and we know it's not ideal. CentOS Stream 9 improves on this significantly with RHEL maintainers doing their builds directly in the CentOS project, in the public. I'll also note this isn't something new. We've been clear that RHEL gets some security fixes first. Typically it's only 1-2 days after RHEL 8 that we'll have the corresponding fix out for CentOS Linux 8 and CentOS Stream 8. No one is happy about how much longer this particular update is taking. The Stream model brings massive changes to the RHEL workflows, so no one should be surprised that there are growing pains. On Mon, Jul 26, 2021 at 4:02 PM Steven Rosenberg via CentOS <centos at centos.org> wrote:> > This bug in the kernel was patched in RHEL on 7/20. Every other mainstream Linux distro patched it that day or the day after. That includes Rocky and Alma. > > https://access.redhat.com/security/cve/CVE-2021-33909 > > It's still not patched six days later in CentOS Stream 8. > > This Bugzilla entry makes it clear that when it comes to security, CentOS Stream falls behind RHEL. But this far behind? > > https://bugzilla.redhat.com/show_bug.cgi?id=1975182 > > This doesn't make a good argument for Stream being a viable CentOS Linux replacement. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >-- Carl George
Brian Stinson
2021-Jul-28 19:42 UTC
[CentOS] It's been six days since CVD-2021-33909 was patched in RHEL, what's the holdup for Stream 8?
Carl summarized really well how code moves through RHEL and CentOS Stream, and we?re working on making sure we publish a build that has made it through the usual set of RHEL tests. -326 is a possible candidate here. Think about CentOS Stream as the development location for the next-minor release of RHEL.??I?d like to highlight some of the general points related to this discussion: -?There are certain classes of CVE that we handle differently from normal development work: https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream <https://centos.org/distro-faq/#q4-how-will-cves-be-handled-in-centos-stream> - Since these fixes need to go into RHEL first, getting them into the development location (CentOS Stream) represents a separate set of work.? - Our intent is to get CVE fixes like this into Stream as soon as they?re available within the guidelines referenced in the FAQ In the past updates have gone out quickly, we haven?t artificially held up pushes and we will not do so going forward. We don?t, though, make any forecasts or guarantees about turnaround time, this is to make sure we deliver those fixes correctly.? I hope that as we continue rolling out new workflows in CentOS Stream 9, we will be able to provide more direct feedback on patch status at a source code level. Just as a reminder you can view and participate in development happening on Gitlab: https://gitlab.com/redhat/centos-stream/ <https://gitlab.com/redhat/centos-stream/> --Brian